MS ISA  vs.  Esoft's Instagate EX2  or others

Posted on 2002-04-17
Medium Priority
Last Modified: 2013-11-16
We have about fourty users here and at the moment are only using a DSL router and NAT for protection. We have finaly talked the partners into getting a decent firewall. One of our consultants says MS ISA is the way to go. Another says his company has had nothing but trouble with MS ISA and they switched to Esoft's Instagate EX2 and they love it. Easy to setup and manage.

Does anyone have an opinion on this or a suggestion on a better firewall?

We are running W2K Servers, Exchange 5.5 (soon to be exchange 2000), DSL for internet access.

Our wants are to have the most secure firewall we can get for under $2500 - $3000. We would like to be able to block just a few specific sites.

Thanks for your advice in advance,
Question by:rodney777

Accepted Solution

Mishou earned 400 total points
ID: 6948392

MS ISA is good too. However you will still be vulnerable to OS problems. That's the reason that I would recomend an apliance.

For that amount of moneys you can have a firewall apliance .Something like Netscreen 5 ,WatchGuard(with a plug in for webfilter).

Or if you want something based on Linux with a nice interface try Astaro (www.astaro.com) that have web proxy included and VPN capabilities (like the other two mentioned above).


LVL 14

Expert Comment

ID: 6948728
I'd second the Netscreen's.  They're cheap, fast, easy to manage, and just plain work great.  You might also check out the new CheckPoint SofaWare boxes, or, depending on how small your network is, even something like an SMC Baricade.  All of these are in the sub $1000 range.

HOWEVER, this all depends on what kind of "extras" you want, like the ability to plut-in things like anti-virus scanning, content filtering, easy creatin of DMZ's, and secure connectivity for remote users.

For these things, look at the slightly higher end Netscreens, the low-end Cisco PIXes, and the Intrusion Inc. CheckPoint boxes.

MS ISA server does have these things, but as Mishou pointed out, do you really want to have the only protection of your network be a Windows box?
LVL 24

Expert Comment

ID: 6948755
ditto above
ISA is too primitive, not easy to understand, built too cheap, but what do you expect from a SW company?

I dunno on Esoft's Instagate EX2, but see no reason to contradict your source.

Rule of thumb is firewall s/b hardware, and windows is vulnerabale, so get that OS behind as many real protections as you can.

Linux is quite common, for going on the cheap.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.


Expert Comment

ID: 6950095
ISA is not bad but SEVERELY limited in more complicated setups. Main hindrance is that they do not support full DeMilitarisedZone handling - filtering can only be put completely on one of the two NIC borders and not on the other. Most competitors, e.g. Checkpoint, CA and Cisco, handle this a lot better - so I suppose ESoft would do as well.

Hope this helps,

<Erik> - The Netherlands

Expert Comment

ID: 6952135
agreed, better to do better
While you await, train staff to quit running EM/'net worms like Klez. Firewalls do not stop the humans

Expert Comment

ID: 6952147
ref: http://www.computerworld.com/storyba/0,4125,NAV47_STO70290,00.html
"New variant of Klez worm detected By JAIKUMAR VIJAYAN (April 18, 2002)
A new variant of a worm that takes advantage of vulnerabilities in unpatched Internet Explorer and Outlook Express software from Microsoft Corp. is spreading in the wild, antivirus vendors warned. "

Author Comment

ID: 6960398
Thanks for the info everyone.
We were looking at Watchguard's boxes last year and decided on that but now there seem to be more options and we are just trying to make sure we dont miss something.
I'm looking into checkpoint and netscreen to see how they compare to Esoft's Instagate EX2.

Expert Comment

ID: 6961303
Another vote for Netscreen here.  My organization runs over 200 appliance firewalls, a combination of Checkpoint, PIX, and Netscreen.  The Netscreens are by far the nicest of the bunch.

If you're getting by with a DSL router right now, then I would say a Netscreen 10 would do just fine (would actually be a much higher performance firewall). You can pick one up for around $1300.
LVL 16

Expert Comment

ID: 6969854
I vote for Astaro (www.astaro.com) - someone mentioned this was linux - true enough, but you'd never know it looking at the interface.  It seems to have all the functionality of every appliance I've seen, and is infinitely extensible if you know something about linux.  I can give you the name of a company that will sell you an astaro "appliance" as a drop-in solution, if you so desire.

While security through obscurity may not be a great idea, security through diversity is not such a bad thing (although it is arguably a subset of security through obscurity).  For that reason alone, stay away from MS products when choosing your firewall.


LVL 13

Expert Comment

ID: 7013328
My vote is for the Watchguard Fireboxes.  They're easy/intuitive to use, fast, reliable, powerful and they have a lot of good features, such as VPN support built (l2tp from firebox, pptp from a standard Windows machine and upgradeable to l2tp from a client if you use their VPN client which isn't expensive).

They also feature NT authentication, which although not perfect is better than a lot of other products.  The HTTP Proxy (inc. Web Blocker), FTP PRoxy and SMTP Proxy are handy too).
LVL 24

Expert Comment

ID: 7197217
Another vote on ISA.
A company called Microsoft tried it, and chose an alternative vendor instead.

Case closed. Between the two, one of them is an obvious loser.

Expert Comment

ID: 9709151
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to Mishou.
Please leave any comments here within the next seven days.


EE Page Editor

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Cloud computing is a model of provisioning IT services. By combining many servers into one large pool and providing virtual machines from that resource pool, it provides IT services that let customers acquire resources at any time and get rid of the…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question